Hello Samba People, We have a Kerio Connect (email) server using Samba 4.8.5 as it’s directory service (3 AD DCs). We’ve been using this setup for about 3 years now. Over the last several months, we’ve been trying to find out why Samba starts rejecting attempts that the Kerio Connect mail server makes to authenticate our users. The errors in Kerio look like this: Authentication failed for user joe.schmoe at domain.com. Attempt from IP address 192.168.1.48. External authentication service rejected authentication due to invalid password or authentication restriction. This will repeat about 40 times for 40 different users over the course of, say 5 minutes or as long as 20 minutes (in which case, it might affect all 130 users). Then, it just stops. Now, this could be Kerio’s fault. So, I’m exploring all my options. A Kerio Connect server sends a lot of authentication requests per minute - like, sometimes 100 to 140. But I was wondering if anyone knows of any configuration settings I might be able to tweak on my DCs to make them more welcoming of rapid authentication requests? Thank you! Matthew © 2018 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
On Tue, 2018-09-18 at 12:19 -0500, Matthew Delfino via samba wrote:> Hello Samba People, > > We have a Kerio Connect (email) server using Samba 4.8.5 as it’s > directory service (3 AD DCs). We’ve been using this setup for about 3 > years now. > > Over the last several months, we’ve been trying to find out why Samba > starts rejecting attempts that the Kerio Connect mail server makes to > authenticate our users. The errors in Kerio look like this: > > Authentication failed for user joe.schmoe at domain.com. Attempt from IP > address 192.168.1.48. External authentication service rejected > authentication due to invalid password or authentication restriction. > > This will repeat about 40 times for 40 different users over the > course of, say 5 minutes or as long as 20 minutes (in which case, it > might affect all 130 users). Then, it just stops. > > Now, this could be Kerio’s fault. So, I’m exploring all my options. A > Kerio Connect server sends a lot of authentication requests per > minute - like, sometimes 100 to 140. But I was wondering if anyone > knows of any configuration settings I might be able to tweak on my > DCs to make them more welcoming of rapid authentication requests?What I would do is try and work out what the error is on the Samba side, turning up the logs and using the JSON auditing feature to get good, machine-parsable data. Then line up the failing authentications with the logs and try to work out a pattern. Is the LDAP server falling over due to out of memory for example, or is the server swapping? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba